Your organization needs a strong, foundational approach to network security management to protect your organization against malicious cyberattacks and harmful breaches. Advanced cybersecurity tools such as Crowdstrike, Cylance, and Red Cloak provide impressive threat detection and response capabilities to enhance your security posture. But relying solely on these solutions without developing strong controls to support them is like placing the most advanced, intricate lock on your front door—only to realize that you’ve left the window open.
To secure your systems, your organization must focus on developing comprehensive asset management, patch management, and vulnerability management procedures. Together, these three processes provide an optimized, stable foundation for security in your organization. During our presentation at InfoSec World 2020, we took an in-depth look at why these controls are so critical, detailed the necessary factors required in each, and analyzed the results from recently conducted penetration tests to gauge the state of our clients’ cybersecurity posture.
1. Asset Management
Asset management is the process of inventorying, tracking, and managing everything in your environment. This means acknowledging any hardware or software present in your organization, and the standards associated with securing each. Ensure that you haven’t omitted anything, such as overlooking a piece of equipment plugged in by an employee that wasn’t previously on the inventory.
Asset management doesn’t just deal with the hardware at your workstations—but also with the software it contains. You must actively detect everything on your network so you can bring these factors into your protection practices. Identify what vulnerabilities are on your network, and then analyze your attack vectors (e.g. where these threats could be coming from) in order to implement the correct processes to mitigate these threats.
Through our penetration tests, we’ve seen that some commonly overlooked areas are:
- Firewall/IDS appliances
- Internet of Things (IoT) devices
- Printers, scanners, copiers
- Routers and switches
- SANs and similar appliances
Analyze these devices and identify unique elements of each that may need to be managed differently to maintain security.
You must always know what applications are on your devices. Anything from operating systems (O/S), administrative protocols and services, web management consoles, and end-of-life dates could place vulnerabilities in your systems. Reduce your attack surface by analyzing necessary aspects of these installations and deleting unnecessary tools. If you don’t need it, turn it off.
To address issues, you need the most up-to-date inventory possible. Invest in an automated inventory management utility to regularly scan for irregularities and detect new vulnerabilities in your assets. You should also scan all RFC1918 ranges.
2. Patch Management
Patch management is informed by asset management, and is the proactive protection of all identified assets. Now that you have an inventory of your hardware, software, firmware, appliances, IoT devices, and more, you should continuously search for gaps in security and update accordingly. Pay careful attention to frequently neglected factors, such as:
- Non-server/non-workstation hardware
- Third-party software
- User-installed desktop applications
Consider how you would update things like copiers, firewalls, digital cameras, and IP-connected equipment. Look into how every system is managed and update processes when special circumstances arise. For example, COVID-19 forced many organizations to transfer to a remote workforce, sending employees home with laptops and remote software. How is your company managing the increase in patches needed for this software?
Also identify any “edge cases” that might fall outside the standard scope of your automated systems and procedures. For example, Microsoft patches will be deployed and installed, the system will be rebooted, and everything will look good from the perspective of your patch management system. But the vulnerability isn’t remediated. There’s often an additional step, such as a change to your registry keys, that needs to be done manually to finalize the remediation. During this process, you’ll often have something more than just the patch. So although your patch management process will correctly identify it as being patched, the associated vulnerability might not be fully diminished.
You may run into a scenario where there aren’t any patches to be found (such as on end-of-life software). In this case, you may think that your patch management is all set, but you’ll need to rely on your vulnerability systems and asset management facilities to detect threats. A lack of missing patches doesn’t make a product secure.
3. Vulnerability Management
Your vulnerability management validates your patch management system. If the patch management system knew a patch was missing, it would’ve patched it. You need a separate and distinct function that validates that these patches are seen, addressed, and secure.
Scope and frequency are key in this process. Regular, ongoing, in-house vulnerability testing is required to keep your systems secure, and your testing should include everything (representative samples are no longer adequate). Vulnerability scans should be conducted at least monthly, and there are even companies that conduct them daily.
You shouldn’t rely solely on risk scores to remediate your vulnerabilities. You’re doing yourself a disservice if you only focus on critical, high-risk vulnerabilities and disregard items that are automatically tagged as lower risk—because those are sometimes the issues that could lead to fixing practical security items in your environment. So scrutinize every risk encountered in your vulnerability scans, and instead of relying on one specific risk score, analyze the risk comparatively to the circumstances of how it was scanned, how it would impact the business, and what your organization wants to accomplish with its mitigation.
The Proof is in the Pen Testing
Once you believe that all necessary factors are in place in your network security program, engaging a third party to conduct penetration testing is a solid method to verify its effectiveness and expose unknown gaps that could leave you vulnerable.
To determine the cybersecurity postures among current organizations, we analyzed our most recent network penetration tests—and our findings reiterate the importance of a strong cybersecurity foundation.
Internal Penetration Tests
Out of 20 infiltration attempts, 18 were successful, meaning there was some significant level of privilege escalation or data extraction. A lack of adequate cyber hygiene alone allowed us to compromise 55% of these networks, where we exploited a basic issue such as a missing patch, a default administrative credential, or a device that an organization forgot was present.
Some of the most prominent cyber hygiene issues that we saw were:
- Missing or Uninstalled Patches
- We were able to infiltrate many systems due to missing patches, especially on multi-function printers and other Internet of Things (IoT) devices. Many of these patches had already been published, but weren’t immediately initiated—leaving their appliances vulnerable.
- Default Configurations, Credentials, Unsecured Service, and Protocols
- There were also many cases where an asset came with unnecessary configurations or credentials that weren’t identified and turned off, therefore allowing us entry. This was most commonly found in web servers, IoT devices, or other unusual instances.
- Excessive Access
- Failure to identify and restrict sensitive data was a major issue in these cases. It’s common for a generic service type user account to have full domain administrative rights—but it doesn’t need that. Restricting access to sensitive data, shares, or highly privileged groups to only essential personnel is key. There are many cases when general domain users have access to more than they should, and once penetration testers start to pivot from additional perspectives, they can quickly escalate their privileges. Looking for those levels of access rights, and those restrictions of privileged categories and groups, is crucial to maintaining your general cyber hygiene throughout the network.
External Penetration Tests
While evaluating 13 recent external penetration tests, we saw that 38% of our successful breaches were caused by known, published, missing patches or exploits.
In an analysis of 50 vulnerability tests, we saw that organizations with effective cyber hygiene practices saw a 70-80% decrease in vulnerabilities and exploits.
Security tools such as Endpoint Threat Detection and Response (EDR), Security Information Event Management (SIEM), and Intrusion Detection Systems (IDS) are effective methods to aid in detection and remediation of threats and risks. However, when it comes to cybersecurity, there are no magic solutions. These tools are intended to be the last line of defense, not the first. If the foundational layers of cyber hygiene aren’t there (asset, patch, and vulnerability management), then any additional layer of defense will be subject to failure. You can’t solely rely on these tools to manage your cybersecurity, and not having adequate management prior to their implementation will make their job exponentially more difficult by leaving them to handle a torrent of preventable attacks.
Engaging a third party to conduct these beneficial penetration tests could help your company identify and remediate any gaps or pitfalls present in your cybersecurity controls.
Implementing, updating, and maintaining the three pillars of network security management is essential to your organization’s strength and stability. Respected cybersecurity frameworks (such as CIS CSC, NIST Framework for Improving Critical Infrastructure Cybersecurity, and ISO/IEC 27001:2013) strongly encourage the presence of strong asset, patch, and vulnerability management structures. In order to maintain the integrity of your cybersecurity posture, and protect against rapidly evolving threats, this triangle of network security must be ingrained in your organization.